Automation, cost savings, and data redundancy--no wonder cloud adoption is tempting. The CISO can rest easy knowing there is no vice in moving to the cloud to reap these rewards. What may keep her up at night is not knowing how many missteps the enterprise is making in the process.
Here CISOs and security buffs round up seven security sins that can undermine cloud computing's benefits.
Failing to check IDs at the door
The only secure way to log in to the cloud is through enterprise identity management systems. Though many cloud services permit just about anyone in the organization to sign themselves up, create their own IDs and passwords without registering these with the enterprise, and then connect these credentials to personal email addresses, that does not mean that IT or the business should let it happen.
"While it is easy to start out this way, failing to integrate with enterprise IMS will leave the organization open to leaks, policy violations, and ultimately the inability to secure the cloud," says John Thielens, Chief Security Office of Axway.
In a similar way, some companies that are deploying IaaS do so rather quickly--using self-service capabilities--to address complaints that their IT departments are slow and unresponsive. But this approach bypasses governance, allowing unguarded access to cloud servers.
"People connect to data they should never see, such as legacy project data on VMs that were never shut down," explains Stanton Jones, Emerging Technology Analyst and Cloud Expert at Information Services Group.
And what if it is a customer-facing cloud service? What is the access model? "How will you integrate it to allow user sign on that is similar to, say, the single sign on model you have internally," asks Julie Talbot-Hubbard, Chief Information Security Officer for The Ohio State University.
Letting demands for (secure) APIs fall on deaf ears.
When a company moves to the cloud, users will require APIs (application programming interfaces) so they can uniquely leverage the company's services. The cloud brings internal services and capabilities closer to the customers who will want to access them. API-based integration enables that.
Mobile developers use APIs to build valuable ecosystems on top of companies' internal pieces and business information. "If the developers monetize that, those revenues can cut into your value chain and you should have a share of the proceeds via a developer portal for APIs," explains Thielens.
Having said that, API keys--which developers use to access the API services --have been compared to passwords. Know what happens if you lose your passwords? CISOs using cloud service APIs need a solid security plan for protecting API keys.
Not keeping sufficient independence from cloud providers.
Sign up for CIO Asia eNewsletters.